An Arizona teenager caused havoc in multiple 911 cell centers last week after creating a proof of concept of an iOS exploit that caused iPhones to dial 911. The Maricopa County Sheriff’s Office said that one police department was ‘in immediate danger of losing service’ to its 911 center, and two other call centers were also at risk …

18-year old Meet Desai found a way to use javascript remotely cause iOS devices to open popup alerts, open apps and make phone calls. In an apparent attempt to show the seriousness of the vulnerability, he created code that would cause iPhones to dial the emergency number 911 so that he could claim a bug bounty from Apple. He put the code on his own webserver, and shared the link via Twitter and his YouTube channel (both since deleted).

Victims immediately disconnected the calls when they realized what was happening, but as all dropped calls to 911 have to be investigated – involving, at a minimum, calling back to check that the person who made the call is ok – the potential waste of police resources is substantial.

Police managed to get the webserver taken offline to end the flood of 911 calls. Desai claimed that he had never intended the exploit to go live, and had tweeted the wrong demonstration link.

Meet stated he did manipulate the bug to include the phone number for emergency services 1+911. Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would “freak out.” Meet stated that he may have accidentally pushed the harmful version of the (911) bug out to the Twitter link instead of the lesser annoying bug that only caused pop ups, dialing to make people’s devices freeze up and reboot.